Categories: SecurityWorkspace

Dark Market Zero-Days ‘Selling Regularly For $50k-$100k’

Previously unknown, unpatched vulnerabilities, known as zero-day flaws, are often selling for between $50,000 and $100,000 (£30,ooo-£60,000) on underground hacking forums, according to Symantec researchers.

Despite bug bounty programmes from major software vendors like Microsoft and Google that offer researchers thousands of pounds for their vulnerabilities, underground criminals are still able to offer more, said Candid Wueest, from Symantec’s Security Response team.

Big zero-day money

He said prices for zero-days were rising because they were increasingly difficult to find.

“For code execution through a browser… it often takes a few vulnerabilities together to execute code,” he told TechWeekEurope. “This makes it more difficult to find one and then the prices rise.”

Wueest said it was “a small market but definitely regular” and even if the likes of Microsoft can offer money via bug bounty programmes, there will be someone offering more on the dark web forums.

In 2012, TechWeek heard that a vulnerability affecting Oracle Java was selling for $100,000, but such high sales were a rarity.

Microsoft recently raised the maximum amount it would pay for reported vulnerabilities and also said it would give money out to those who simply alerted the company to zero-days, without having to show how an exploit would work.

Even Tesla, the car manufacturer, has adopted a vulnerability reward programme, indicating there will be more legitimate money on offer for researchers in the coming years.

Yet attackers are still keen to get their hands on such flaws. Symantec told TechWeek it had seen the attackers thought to have been involved in breaching Google in 2009 in action in the last couple of weeks.

The Elderwood hacker group was seen targeting various industries, including government defence contractors, with a number of zero-days, and has continued to operate despite much attention from the security community.

Are you a security pro? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

21 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

22 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

23 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago